[cryptography] Digitally-signed malware

Tom Ritter tom at ritter.vg
Wed Jun 22 15:52:45 EDT 2011


> What happens if the bad guy just strips the signature? What are the
> circumstances under which an OS or user+OS will refuse to run code that just
> isn't signed at all?

In the case of Microsoft Clickonce, the Install Dialog is changed from
"Publisher: Discount Bob's Software & Hanggliding" to "Publisher:
Unknown Publisher" and the icon from a yellow shield to a red shield.
I took a look at Man-in-the-Middling Clickonce deployments last
summer.  Stripped the signature, decompiled to IL, injected code, and
recompiled all as part of a transparent proxy.
http://seclists.org/bugtraq/2010/Jul/164

A similar project is Evilgrade:
http://blog.infobytesec.com/2010/10/evilgrade-20-update-explotation.html
although that's a framework for targeting different applications, each
one possibly behaving differently.

-tom



More information about the cryptography mailing list